Cable television (CATV) systems which provide access to regular television programming and "premium" or "pay-per-view" programming are well known. It has long been desirable to introduce fully downloadable CATV converters which can accept all of their operating software from a booter channel upon power up. Downloadable converters are easier to maintain than known read only memory (ROM) based products, and provide the additional advantage of allowing field upgradeability and customization as new features are introduced in a cable television system. Further, downloadable converters can serve as an essential bridge, via emulation software, for systems which wish to retire older products in a phased manner.
One important obstacle that has prevented the development of one-way CATV systems with downloadable converters is the issue of software security. For example, a "pirate" booter image could be loaded into a converter (e.g., by a subscriber who wants to receive premium channels without paying), which could defeat the integrity of the converter by permitting all video programs to be unscrambled without permission. This problem has been solved in a two-way CATV system using a technique described in co-pending, commonly assigned U.S. patent application Ser. No. 726,676, filed Apr. 24, 1985, entitled "Bootstrap Channel Security Arrangement for Communication Network", and incorporated herein by reference. In the apparatus and method disclosed in the co-pending application, software is downloaded on a booter channel via a communication network. A subscriber terminal coupled to the network initiates a communication with the network to receive downloaded booter data. The downloaded data is stored, and a checksum is computed from at least a portion of the downloaded data. The checksum is tested for validity, and control of the subscriber terminal is released to the downloaded software only if the checksum is valid.
It would be advantageous to provide a method and apparatus for securing the booter image in one-way CATV systems. In one-way systems, there is no ability to transfer a computed checksum back to the headend for verification. Thus, a system must be provided wherein verification of the booter image occurs at the subscriber converter, and wherein an illegitimate booter image prevents the converter from enabling the viewing of an unauthorized program. The present invention relates to such an apparatus and method.